Amid isolating sanctions, a Russian tech giant plans to launch new Android phones and tablets. But experts are skeptical the company can pull it off.

The fresh wave of sanctions after the invasion of Ukraine has given new wind to the concept of technological self-sufficiency, with Russia’s government launching multiple initiatives to create domestic substitutes for foreign electronics, online platforms, and software, on which many Russian companies are dependent.

Over a thousand tech companies stopped or curtailed their operations in Russia after the invasion of Ukraine. In just a month, Cisco, SAP, Oracle, IBM, TSMC, Nokia, and Ericsson, as well as Samsung and Apple, left the market, affecting entire industries, including mobile operators, factories, startups, and large state-owned companies. According to IDC, a global market-analysis firm, the Russian IT market in 2022 shrank by $12.1 billion, or 39 percent.

Russian prime minister Mikhail Mishustin said in February that Russia wants to replace 85 percent of foreign software with Russian substitutes, opening dozens of so-called import substitution centers. Among them is a project to create a national operating system for devices. The plan, however, is at an early stage with no road map in sight, says the Internet Research Institute’s Kazaryan.

“Currently, a few big players are trying to woo the government for subsidies to create devices on ‘national mobile OS,’ whatever that might be,” he says.

One of the more promising alternatives to Android is Aurora OS, a Linux-based smartphone operating system made by the Russian state-owned telecommunications firm Rostelecom. But Aurora was primarily made for government use and does not support Android apps. In December, the Russian government refused to allocate any of the 22 billion rubles ($292.1 million) earmarked for the development of the Russian operating system.

Other Russian smartphone makers, such as BQ, have promised to adapt Huawei’s HarmonyOS for its handsets. But there's been no news of progress since BQ’s announcement in September. Huawei, which is based in China, developed its own operating system in 2019 after Google stopped providing its suite of mobile software services to the company because of US trade sanctions. The Chinese IT giant has said it has no plans to launch HarmonyOS-equipped mobile phones outside of China.

Huawei’s struggle to compete outside China shows that it’s hard for a smartphone brand to gain buyers without access to Google services. Huawei lost almost a third of its revenue in 2020, the year after sanctions cut its access to Google Maps, Gmail, and other common Google apps. The biggest hurdle NCC’s new smartphone may face, however, is cheap and readily available phones from China. 

Counterpoint’s data shows that phones from Xiaomi, Realme, and Honor, a budget brand previously owned by Huawei, have replaced once best-selling iPhones and Samsung Galaxy devices, accounting for 95 percent of the market last year.

“There's still a lot of competition,” says Counterpoint’s Stryjak. “I don't think there's a huge gap in the market for a new player.”

Other Russian phones, most famously Yotaphone, have tried to capture the domestic market, but they remained at a very small scale, says Stryjak. Russians prefer brands they already know. Thanks to parallel trading—importing goods without the permission of the manufacturer—even Samsungs and iPhones are still available in the country. NCC says it aims to price its smartphones between 10,000 and 30,000 rubles ($132 and $398). 

“We are considering various options. This could be production at Russian factories or contract manufacturing at Chinese enterprises,” NCC’s Kalinin told local media. NCC did not respond to WIRED’s request for comment.

Other Russian smartphone makers such as Smartekosistema, owned by state giant Rostec, have found that they were unable to procure the necessary chips from TSMC for the second iteration of their handset, the AYYA T2. All of this may make creating Russian challengers to Samsung or Apple very expensive.

“You probably can make a smartphone in Russia with Chinese parts, but it's not very efficient,” says Kazaryan. “And why would anyone buy a Russian phone that is more expensive than Xiaomi?”

The Sketchy Plan to Build a Russian Android Phone

In addAutomaticZenRule of ZenModeHelper.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242537431

_Published February 6, 2023 | Updated February 8, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-02-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-02-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-27059

A-159249069

EoP

High

12, 12L

CVE-2022-20443

A-194480991 \[2\]

EoP

High

11, 12, 12L

CVE-2022-20551

A-243376549

EoP

High

12, 12L, 13

CVE-2023-20934

A-258672042 \[2\]

EoP

High

12, 12L, 13

CVE-2023-20942

A-258021433

EoP

High

12, 12L, 13

CVE-2023-20943

A-240267890

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20944

A-244154558

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20948

A-230630526

ID

High

12, 12L, 13

**Media Framework**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20933

A-245860753

EoP

High

10, 11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-43680

A-255449293

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20939

A-243362981

EoP

High

12, 12L, 13

CVE-2023-20940

A-256237041

EoP

High

13

CVE-2023-20945

A-246932269

EoP

High

10

CVE-2023-20946

A-244423101

EoP

High

11, 12, 12L, 13

CVE-2022-20481

A-241927115

ID

High

10, 11, 12, 12L, 13

CVE-2023-20932

A-248251018

ID

High

10, 11, 12, 12L, 13

CVE-2022-20455

A-242537431 \[2\] \[3\] \[4\] \[5\]

DoS

High

10, 11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

WiFi

CVE-2022-20481

**2023-02-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-02-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-39189

A-245869446  
Upstream kernel

EoP

High

KVM

CVE-2022-39842

A-245928838  
Upstream kernel

EoP

High

Video

CVE-2022-41222

A-248354871  
Upstream kernel

EoP

High

Kernel memory subsystem

CVE-2023-20937

A-257443051  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\]

EoP

High

Memory Management

CVE-2023-20938

A-257685302  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\]

EoP

High

Binder

CVE-2022-0850

A-245406696  
Upstream kernel

ID

High

ext4

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

    

CVE

References

Severity

Subcomponent

CVE-2023-20602  

A-261367136  
M-ALPS07494107 \*

High

ged

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

    

CVE

References

Severity

Subcomponent

CVE-2022-47331  

A-262503737  
U-1946329 \*

High

Kernel

CVE-2022-47339  

A-262503731  
U-2029419 \*

High

Android

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33243  

A-245402502  
QC-CR#3217329

Critical

Kernel

CVE-2022-33280  

A-250627584  
QC-CR#3040964 \[2\] \[3\]

Critical

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33232  

A-240972480 \*

Critical

Closed-source component

CVE-2022-40514  

A-258057252 \*

Critical

Closed-source component

CVE-2022-33221  

A-240972893 \*

High

Closed-source component

CVE-2022-33233  

A-240972514 \*

High

Closed-source component

CVE-2022-33248  

A-240972595 \*

High

Closed-source component

CVE-2022-33271  

A-258057374 \*

High

Closed-source component

CVE-2022-33277  

A-258057281 \*

High

Closed-source component

CVE-2022-33306  

A-258057409 \*

High

Closed-source component

CVE-2022-34145  

A-258057258 \*

High

Closed-source component

CVE-2022-34146  

A-258057317 \*

High

Closed-source component

CVE-2022-40502  

A-258057203 \*

High

Closed-source component

CVE-2022-40512  

A-258057239 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-02-01 or later address all issues associated with the 2023-02-01 security patch level.
*   Security patch levels of 2023-02-05 or later address all issues associated with the 2023-02-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-02-01\]
*   \[ro.build.version.security\_patch\]:\[2023-02-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-02-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-02-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-02-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

February 6, 2023

Bulletin Published

1.1

February 8, 2023

Bulletin revised to include AOSP links

CVE-2022-20455: Android Security Bulletin—February 2023

There is an identity authentication bypass vulnerability in Huawei Children Smart Watch (Simba-AL00) 1.1.1.274. Successful exploitation of this vulnerability may cause the access control function of specific applications to fail.

The Huawei Children Smart Watch (Simba-AL00) has an identity authentication bypass vulnerability. Successful exploitation of this vulnerability may cause the access control function of specific applications to fail.(Vulnerability ID:HWPSIRT-2022-18770)  
This vulnerability has been assigned a (CVE) ID: CVE-2022-48305

Affected Product

Affected Version

Repair Versions

Simba-AL00

Simba-AL00 1.1.1.274

Simba-AL00 1.1.1.302

  

HWPSIRT-2022-18770:  
Successful exploitation of this vulnerability may cause the access control function of specific applications to fail.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.   
HWPSIRT-2022-18770   
Base Score: 6.2   
Temporary Score: 5.8   
Environmental Score: NA   
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

HWPSIRT-2022-18770:   
This vulnerability can be exploited only when the following conditions are present:    
Attackers need to construct malicious voice commands.   
Technical details:    
The Huawei Children Smart Watch (Simba-AL00) has an identity authentication bypass vulnerability. Attackers can construct malicious voice commands to open specific applications. Successful exploitation of this vulnerability may cause the access control function of specific applications to fail.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-18770:   
The vulnerability was discovered by an external researcher.

2023-02-08 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48305: Security Advisory - Identity Authentication Bypass Vulnerability in The Huawei Children Smart Watch (Simba-AL00)

A piece of Huawei whole-home intelligence software has an Incorrect Privilege Assignment vulnerability. Successful exploitation of this vulnerability could allow attackers to access restricted functions.

A piece of Huawei whole-home intelligence software has an Incorrect Privilege Assignment vulnerability. Successful exploitation of this vulnerability could allow attackers to access restricted functions. (Vulnerability ID:HWPSIRT-2022-90086)

This vulnerability has been assigned a (CVE) ID: CVE-2022-48284

  

Affected Product

Affected Version

Repair Version

HarmonyOS AILife Solution 6.0

HiLink AI Life 12.0.2.305

HiLink AI Life 12.0.3.305

HWPSIRT-2022-90086:

Successful exploitation could allow attackers to access restricted functions.

  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-90086

Base Score: 4.5

Temporary Score: 4.2

Environmental Score: NA

CVSS v3.1 Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C

  

HWPSIRT-2022-90086:

This vulnerability can be exploited only when the following conditions are present:

Attackers construct malicious applications.

Technical details:

A piece of Huawei whole-home intelligence software does not correctly verify the caller's permission. As a result, an Incorrect Privilege Assignment vulnerability is caused. An attacker can construct a malicious application to exploit this vulnerability and access restricted functions.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

2023-02-01 V1.0 Initial Release

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48284: Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software

*   SA No:huawei-sa-IPAViHWHIS-1afe7781
*   Initial Release Date: 2023-02-01
*   Last Release Date: 2023-02-01

  

A piece of Huawei whole-home intelligence software has an Incorrect Privilege Assignment vulnerability. Successful exploitation of this vulnerability could allow attackers to access restricted functions.(Vulnerability ID:HWPSIRT-2022-52968)

This vulnerability has been assigned a (CVE) ID: CVE-2022-48283

Affected Product

Affected Version

Repair Versions

HarmonyOS AILife Solution 6.0

HiLink AI Life 12.0.2.305

HiLink AI Life 12.0.3.305

  

HWPSIRT-2022-52968:

Successful exploitation could allow attackers to access restricted functions.

  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-52968

Base Score: 7.0

Temporary Score: 6.5

Environmental Score: NA

CVSS v3.1 Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

  

HWPSIRT-2022-52968:

This vulnerability can be exploited only when the following conditions are present:

Attackers construct malicious applications.

Technical details:

A piece of Huawei whole-home intelligence software does not correctly verify the caller's permission. As a result, an Incorrect Privilege Assignment vulnerability is caused. An attacker can construct a malicious application to exploit this vulnerability and access restricted functions.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-52968:

This vulnerability was discovered by Huawei internal tester.

  

2023-02-01 V1.0 Initial Release

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48283: Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software

There is a misinterpretation of input vulnerability in BiSheng-WNM FW 3.0.0.325. Successful exploitation of this vulnerability may cause the printer service to be abnormal.

There is a misinterpretation of input vulnerability in Huawei Printer. Successful exploitation of this vulnerability may cause the printer service to be abnormal.(Vulnerability ID:HWPSIRT-2022-78037)  
This vulnerability has been assigned a (CVE) ID: CVE-2022-48261

Affected Product

Affected Version

Repair Versions

BiSheng-WNM

BiSheng-WNM FW 3.0.0.325

BiSheng-WNM FW 3.0.0.327

  

HWPSIRT-2022-78037:  
Successful exploitation of this vulnerability may cause the printer service to be abnormal.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.   
HWPSIRT-2022-78037  
Base Score: 7.5  
Temporary Score: 7.0  
Environmental Score: NA  
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-78037:  
This vulnerability can be exploited only when the following conditions are present:  
An attacker can send a specially crafted packet to the affected device.   
Technical details:   
The packet parsing module of a port on a Huawei printer has a misinterpretation of input vulnerability. The vulnerability is caused by insufficient verification of external input packets. Attackers can exploit this vulnerability by constructing malicious packets. Successful exploitation could lead to printer device service exceptions, etc.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-78037:  
This vulnerability was discovered by Huawei internal tester.  

2023-01-18 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48261: Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer

There is a buffer overflow vulnerability in BiSheng-WNM FW 3.0.0.325. Successful exploitation could lead to device service exceptions.

A Huawei printer product has a buffer overflow vulnerability. Successful exploitation could lead to device service exceptions. (Vulnerability ID:HWPSIRT-2022-17649)   
This vulnerability has been assigned a (CVE) ID: CVE-2022-48260

Affected Product

Affected Version

Resolved Versions

BiSheng-WNM

BiSheng-WNM FW 3.0.0.325

BiSheng-WNM FW 3.0.0.327

HWPSIRT-2022-17649:  
Successful exploitation could lead to device service exceptions.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-17649:  
Base score:7.5  
Temporary score:7.0  
Environmental Score:NA  
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-17649:  
This vulnerability can be exploited only when the following conditions are present:   
Attackers can access device network ports.  
Technical details:  
A Huawei printer product has a buffer overflow vulnerability. Attackers who can access network ports can construct malicious packets to exploit this vulnerability. Successful exploitation could lead to device service exceptions.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-17649:

This vulnerability was discovered by Huawei internal tester.

2023-01-18 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48260: Security Advisory - Buffer Overflow Vulnerability in a Huawei Printer Product

There is a system command injection vulnerability in BiSheng-WNM FW 3.0.0.325. Successful exploitation could allow attackers to gain higher privileges.

A Huawei printer has a system command injection vulnerability. Successful exploitation could allow attackers to gain higher privileges. (Vulnerability ID:HWPSIRT-2022-87340)   
This vulnerability has been assigned a (CVE) ID: CVE-2022-48259

Affected Product

Affected Version

Resolved Versions

BiSheng-WNM

BiSheng-WNM FW 3.0.0.325

BiSheng-WNM FW 3.0.0.327

HWPSIRT-2022-87340:  
Successful exploitation could allow attackers to gain higher privileges.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-87340:  
Base score:9.8  
Temporary score:9.1  
Environmental Score:NA  
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-87340:  
This vulnerability can be exploited only when the following conditions are present:   
Attackers can gain access to the affected target devices.  
Technical details:  
A Huawei printer product has a system command injection vulnerability. An attacker can exploit this vulnerability by sending a specially crafted packet to a specific port of the target device. Successful exploitation could allow the attacker to gain higher privileges.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-87340:

This vulnerability was discovered by Huawei internal tester.

2023-01-18 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48259: Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product

There is a system command injection vulnerability in BiSheng-WNM FW 3.0.0.325. A Huawei printer has a system command injection vulnerability. Successful exploitation could lead to remote code execution.

*   SA No:huawei-sa-SCIViaHPP-f18e962a
*   Initial Release Date: 2023-01-18
*   Last Release Date: 2023-01-18

  

A Huawei printer has a system command injection vulnerability. Successful exploitation could lead to remote code execution.(Vulnerability ID:HWPSIRT-2022-90114)

This vulnerability has been assigned a (CVE)ID:CVE-2022-48255

  

Affected Product

Affected Version

Repair Version

BiSheng-WNM

BiSheng-WNM FW 3.0.0.325

BiSheng-WNM FW 3.0.0.327

  

HWPSIRT-2022-90114:

Successful exploitation could lead to remote code execution.

  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-90114

Base Score: 9.8

Temporary Score: 9.1

Environmental Score: NA

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

  

HWPSIRT-2022-90114:

This vulnerability can be exploited only when the following conditions are present:

An attacker can access devices through the network.

Technical details:

A Huawei printer product has a system command injection vulnerability. This vulnerability is caused by improper filtering of special characters in external input. Unauthorized attackers can exploit this vulnerability by constructing malicious external input. Successful exploitation could lead to remote code execution.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

HWPSIRT-2022-90114:

This vulnerability was discovered by Huawei internal tester.

  

2023-01-18 V1.0 Initial Release

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48255: Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product

There is a data processing error vulnerability in Leia-B29 2.0.0.49(M03). Successful exploitation could bypass lock screen authentication.

A Huawei band has a data processing error vulnerability. Successful exploitation could bypass lock screen authentication.(Vulnerability ID:HWPSIRT-2022-11965) This vulnerability has been assigned a (CVE)ID:CVE-2022-48254

Affected Product

Affected Version

Repair Version

Leia-B29

Leia-B29 2.0.0.49(M03)

Leia-B19 2.0.0.56(M04)

HWPSIRT-2022-11965:

Successful exploitation could bypass lock screen authentication.

  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-11965

Base Score: 6.2

Temporary Score: 5.8

Environmental Score: NA

CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

  

HWPSIRT-2022-11965:

This vulnerability can be exploited only when the following conditions are present:

The attacker needs to perform operations on the affected device.

Technical details:

The lock screen function of a Huawei band has a data processing error vulnerability. This vulnerability is caused by improper implementation in certain lock screen scenarios. An attacker can exploit this vulnerability by following specific operations. Successful exploitation may bypass screen lock authentication.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

HWPSIRT-2022-11965:

This vulnerability was discovered by Huawei internal tester.

2023-01-18 V1.0 Initial Release

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Tag

#huawei